adding system call tracing and anti-analysis detection

[TakahiroHaruyama]

Hi, I'm a malware reverse engineer and looking for a dynamic analysis tool with:

• library call tracing
• system call tracing
• anti-analysis (e.g., accessing to PEB/TEB, parsing PE header, and so on) detection

I think DBI is a good candidate to implement easily and your code looks great for my requirements. I have questions.

1. Will you integrate the drstrace function code in Dr. Memory into your version of drltrace in the future?
2. If not I'll implement my own based on your code and DynamoRIO APIs (e.g., Code Manipulation API to return dummy data against anti-analysis code). What's the difference between your drltrace and Dr. Memory's one except that it is stand-alone?

[mxmssh]

Hi Takahiro,

Thank you for your interest in drltrace.

1. I do not have plan to integrate syscalls tracing from drstrace in the aforesable future.
2. There are a lot of small improvements being added after the fork of original drltrace. However, the basic logic was not changed.

Why do you want drstrace being integrated into drltrace? I do understand you need more visibility but you could use two tools separately? drltrace provides more visibility and drstrace gives your performance and stability.

[TakahiroHaruyama]

Thanks for the reply.

Why do you want drstrace being integrated into drltrace? I do understand you need more visibility but you could use two tools separately? drltrace provides more visibility and drstrace gives your performance and stability.

Some malware and commercial packers uses system calls directly to avoid the breakpoints at some APIs like VirtualProtectEx. That's why I'd like to see the call sequence with not only library calls but also system ones together.

[mxmssh]

I see. Yes, it makes sense. Please be aware of the fact that DynamoRIO on Windows for malware analysis might be unstable and sometimes crash. I run thousands of samples with drltrace and had many problems.

[TakahiroHaruyama]

Thanks for the advice :-) Actually I'm still thinking about which tool/platform is the best for my purpose in terms of stability, visibility, and simplicity.

You have experience of DynamoRIO through drltrace. If you newly create a dynamic analysis tool again, you will choose another approach for that? (e.g., Pin instead of DynamoRIO, HyperVisor-based tool, emulator) I'd like to have your honest opinion.

[mxmssh]

Well, I would say to give a Hypervisor-based solution a try since it is the most transparent for malware but it would be a really long-term project since Hypervisors are not easy to work with! :) I wouldn't go for emulator due to high-performance overhead, lower stability and etc. DynamoRIO-based solution is relatively cheap in terms of (time invested for development)/(samples supported) point of view but don't expect too much from it. I used to work with drltrace to research malware and sometimes it would give me a very quick answer of what's going on but sometimes samples would just crash. Additionally, you still need to bypass Anti-VM checks for some samples when you run it with drltrace.

P.S. Intel PIN is not support anymore and I wouldn't rely on it.

[mxmssh]

You can always run drltrace+drstrace and give it a try on a few samples to check if this makes sense for you in general.

[TakahiroHaruyama]

Thank you so much! I agree Hypervisors is fun to work on but it will take long time. And IMO it is not efficient to implement library call trace and instruction-level manipulation from the hypervisor side due to the semantic gap.

Additionally, you still need to bypass Anti-VM checks for some samples when you run it with drltrace.

Yes, that's why I'd like to detect and modify the anti-analysis code. DBI looks easy to do that.

My motivation is to detect anti-analysis methods used by packers or malware quickly. I don't need the full API execution log. So I think I should try emulation tools first then move to drltrace+drstrace if failed.

Anyway, I really appreciate your advice :-)